Cisco Identity Services Engine Network Component Compatibility, Release 3

Cisco Identity Services Engine Network Component Compatibility, Release 3.2

Overview 2 Validated Security Product Integrations (over pxGrid) 21 Validated Cisco Digital Network Architecture Center Release 24 Validated Cisco Prime Infrastructure Release 24 Validated Cisco Firepower Management Center Release 24 Validated Cisco Stealthwatch Management Release 24 Validated Cisco WAN Service Administrator Release 24 Support for Threat Centric NAC 24 Additional References 25 Communications, Services, and Additional Information 25

Revised: November 10, 2022

Overview

Cisco ISE supports protocol standards like RADIUS, its associated RFC Standards, and TACACS+. For more information, see the ISE Community Resources. Cisco ISE supports interoperability with any Cisco or non-Cisco RADIUS client network access device (NAD) that implements common RADIUS behavior for standards-based authentication. Cisco ISE interoperates fully with third-party TACACS+ client devices that adhere to the governing protocols. Support for TACACS+ functions depends on the device-specific implementation.

RADIUS Cisco ISE interoperates fully with third-party RADIUS devices that adhere to the standard protocols. Support for RADIUS functions depends on the device-specific implementation. Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality. We recommend that you validate all network devices and their software for hardware capabilities or bugs in a particular software release. If the network device does not support both dynamic and static URL redirects, Cisco ISE provides an Auth VLAN configuration by which URL redirect is simulated. For more information, see "Third-Party Network Device Support in Cisco ISE" section in Chapter "Secure Wired Access" in the Cisco Identity Services Engine Administrator Guide. TACACS+ Cisco ISE interoperates fully with third-party TACACS+ client devices that adhere to the governing protocols. Support for TACACS+ functions depends on the device-specific implementation. For information on enabling specific functions of Cisco ISE on network switches, see the "Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions" chapter in Cisco Identity Services Engine Administrator Guide.

ISE Community Resource Does ISE Support My Network Access Device? For information about third-party NAD profiles, see ISE Third-Party NAD Profiles and Configs. For information on how to configure TACACS+ for Nexus devices, see Cisco ISE Device Administration Prescriptive Deployment Guide.

Note

? Some switch models and IOS versions may have reached the end-of-life date and interoperability may not be

supported by Cisco TAC.

? You must use the latest version of NetFlow for the Cisco ISE profiling service. If you use NetFlow Version 5, you can use it only on the primary NAD at the access layer.

For Wireless LAN Controllers, note the following: ? MAC authentication bypass (MAB) supports MAC filtering with RADIUS lookup.

2

? Support for session ID and COA with MAC filtering provides MAB-like functionality. ? DNS-based ACL feature is supported for WLC 8.0 and above. Not all Access Points support DNS-based ACL. See the Cisco

Access Points Release Notes for more details.

For information about the devices that are validated with Cisco ISE, see Network Device Capabilities Validated with Cisco Identity Services Engine.

Supported Protocol Standards, RFCs, and IETF Drafts

Cisco ISE conforms to the following protocol standards, Requests for Comments (RFCs), and IETF drafts: ? Supported IEEE Standards ? IEEE802.1X-Std-2001 ? IEEE802.1X-Std-2004

? Supported IETF RFC ? RFC2138 - RADIUS ? RFC2246 - TLSv1.0 ? RFC2548 - Microsoft Vendor-specific RADIUS Attributes ? RFC2759 - Microsoft PPP CHAP Extensions, Version 2 ? RFC2865 - RADIUS ? RFC2866 - RADIUS Accounting ? RFC2867 - RADIUS Accounting Modifications for Tunnel Protocol Support ? RFC2868 - RADIUS Attributes for Tunnel Protocol Support ? RFC2869 - RADIUS Extensions ? RFC3579 - RADIUS Support For EAP ? RFC3580 - IEEE 802.1X RADIUS Usage Guidelines ? RFC3748 - EAP ? RFC4017 - EAP Method Requirements for Wireless LANs ? RFC4851 - EAP-FAST ? RFC5176 - Dynamic Authorization Extensions to RADIUS ? RFC5216 - EAP-TLS Authentication Protocol ? RFC5281 - Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0) ? RFC5422 - Dynamic Provisioning Using Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST) ? RFC5425 - Transport Layer Security (TLS) Transport Mapping for Syslog

3

? RFC6587 - Transmission of Syslog Messages over TCP ? RFC7360 - Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS The following RFCs are partially supported: ? RFC2548 - Microsoft Vendor-specific RADIUS Attributes ? RFC2882 - Network Access Servers Requirements: Extended RADIUS Practices ? RFC7030 - Enrollment over Secure Transport (EST) (supported as part of BYOD flow) ? RFC7170 - Tunnel Extensible Authentication Protocol (TEAP) Version 1 ? Supported IETF Drafts ? IETF Draft - PEAP Version 0 ? IETF Draft - PEAP Version 1 ? IETF Draft - PEAP Version 2 ? IETF Draft - Microsoft EAP CHAP Extensions Version 2

AAA Attributes for RADIUS Proxy Service

For RADIUS proxy service, the following authentication, authorization, and accounting (AAA) attributes must be included in the RADIUS communication:

? Calling-Station-ID (IP or MAC_ADDRESS) ? RADIUS::NAS_IP_Address ? RADIUS::NAS_Identifier

AAA Attributes for Third-Party VPN Concentrators

For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:

? Calling-Station-ID (tracks individual client by MAC or IP address) ? User-Name (tracks remote client by login name) ? NAS-Port-Type (helps to determine connection type as VPN) ? RADIUS Accounting Start (triggers official start of session) ? RADIUS Accounting Stop (triggers official end of session and releases ISE license) ? RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to

a full-tunnel client)

4

Note For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client's VPN-assigned IP address to track the endpoint while on a trusted network.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation for this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

For information on the SSM On-Prem server releases that support smart licensing, see the topic Configure Smart Software Manager On-Prem for Smart Licensing in the Chapter "Licensing", in the Cisco ISE Administrator Guide for your release.

Supported Hardware Cisco ISE, Release 3.2, can be installed on the following platforms:

Table 1: Supported Platforms

Hardware Platform Cisco SNS-3595-K9 (large) Cisco SNS-3615-K9 (small) Cisco SNS-3655-K9 (medium) Cisco SNS-3695-K9 (large)

Configuration

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.

Caution

? Cisco ISE 3.1 and later releases do not support Cisco Secured Network Server (SNS) 3515 appliance.

? Cisco SNS 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

? Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

? Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.

Supported Virtual Environments Cisco ISE supports the following virtual environment platforms:

? ? OVA templates: VMware version 14 or higher on ESXi 6.7 and later, and ESXi 7.x.

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download